Aurora Improper Input Sanitization Bugfix Review ($1,000,000 in Aurora)

We discussed this vulnerability during Episode 155 on 03 October 2022

tl;dr Force others to pay you a fee for giving them a worthless token.

The Aurora Engine is an EVM running on the NEAR blockchain. The idea being to allow developers who write EVM smart contracts to deploy them on NEAR. To accommodate this there are also some functions exposed for transfer tokens between NEAR and the EVM. The problem specific arises in ft_on_transfer which is used to transfer a NEP-141 (NEAR) token for the equivalent in ERC20 (EVM). This function allows the sender to specify a fee that should be provided to the message relayer.

What this means is an attacker can mine a NEP-141 token that is basically worthless, create a mapping between that NEP-141 and some ERC20 token, and then transfer the token away to a victim (transferring tokens does not require the consent of the recipient). In transfering the token, they will specify a high fee that should be paid to the relayer (the attacker) and Aurora will send them their fee.